====== Post-Engagement: Report ======

===== Review =====

**The six steps/stages of a PenTest...**
  - Pre-Engagement: Planning & Scope
  - Recon: Information Gathering
  - Scanning
  - Exploitation
  - Post-Exploitation
  - Post-Engagement: Report

===== Overview =====

**Outline of the Post-Exploitation Stage:**
  - Prepare the Report
    - Executive Summary Report (for management)
    - Technical Report (for IT and InfoSec geeks)
  - Present the Report

----

====== The Report ======

The six sections of a PenTest report:
  - Executive Summary
  - Scope Details
  - Methodology
  - Findings & Remediation
  - Conclusion
  - Appendix / Appendices

===== 1. Executive Summary =====

The executive summary is by far the most important section of the report. It is the only section most people will read. It should be written in clear, non-techie language.
  * **Audience:** C-Suite Executives
  * **Length:** Brief (concise), maybe 1-2 pages on average.
  * **Location:** First section of the written report.
  * **Timeing:** Last section you actually write (doing it last will help you prepare a concise summary).

===== 2. Scope Details =====

Document the scope...
  - The original scope of the Statement of Work (SOW).
  - Any scope adjustments that were made along the way.

===== 3. Methodology =====

The methodology sections contains all the nitty-gritty technical details.
  * **Include:** types of testing, tools, observations, etc. 
  * **Audience:** technical staff & developers
  * **Goal/Idea:** A security professional should be able to read this section and reproduce your results.
  * **NOT:** Do not include all the tedious enumerations, scans, screenshots, etc. Put all that crap in the Appendices. If the reader is interested, he can find it all there.

===== 4. Findings & Remediation =====

Here you describe the security issues and offer suggestions for remediation.
  * This is the "meat and taters" of the report.
  * **Findings** should include: 
    - Risk Rating (e.g., from CVSS, etc.)
    - Risk Prioritization *based on likelihood and impact)
    - Business Impact Analysis (organization specific)

===== 5. Conclusion =====

  - Summarize your conclusions (wrap it up)
  - Make recommendations for future work.

Try to identify common themes or root causes discovered during the PenTest.
  * Help them improve their security.
  * e.g., common vulnerabilities, best practices, etc.